A Comparative Study on Improved User Authentication Scheme in Response to Smart-card Loss Attack
Jae-young Lee
Jae-young Lee, School of Information & Communication Systems, Semyung University, Semyeong-Ro, Jecheon-Si, Chungcheongbuk-Do, Republic of Korea, East Asian.
Manuscript received on 05 June 2019 | Revised Manuscript received on 12 June 2019 | Manuscript Published on 22 June 2019 | PP: 1108-1112 | Volume-8 Issue-8S2 June 2019 | Retrieval Number: H11880688S219/19©BEIESP
Open Access | Editorial and Publishing Policies | Cite | Mendeley | Indexing and Abstracting
© The Authors. Blue Eyes Intelligence Engineering and Sciences Publication (BEIESP). This is an open-access article under the CC-BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Abstract: Existing smart-card based user authentication technique is vulnerable to attacks via hijacking smart-cards of random users. Attackers with acquired smart-card data can hijack messages in open channels among users and utilize it for ID and password guessing and session key extraction attacks. Methods/Statistical analysis: Attacks can generate ID and password guessing of random users through acquired data from the hijacked messages and try attacks against session keys via ID guessing. The user authentication scheme proposal in this thesis enables responsive measures against attacks by improving the existing scheme that generated random numbers of servers only with acquired data thus, attackers are unable to get Ni, a variable recording server registration request frequency and essential figures for authentication stages. Findings: The existing scheme, first, has a problem not being able to generate Yi necessary for authentication due to errors in user authentication stage in servers. Second, if a fully registered user uses own smart-card, ID and password, a problem creating a significant random number to serve occurs and third, if attacks hijack smart-cards and login request messages of random users, then problems – user ID and password guessing, and session key extraction via the ID guessing becomes vulnerable. Hence, when Yi is generated, during user authentication stages, which serves request logins, the errors in authentication phase are modified to only enable server-related data for Yi creation, second, responsive measures against external attacks are enabled by improving the issues, which significant random numbers for servers being easily calculated by smart-cards, ID and password of attackers. Third, even if attackers, hijacked smart-cards and login request messages of random users, acquires important data, no random user can generate ID or password guessing, and session key extractions are no longer available. Improvements/Applications: Improving the existing scheme, which significant figures for user authentication were easily produceable only by acquiring messages through smart-cards and open channels, hence a new user authentication scheme to enable attacks via acquisition of smart-cards and messages is proposed.
Keywords: IoT, User Authentication, Smart-Card Loss Attack, Password-Guessing Attack, ID-Guessing Attack, Session Key.
Scope of the Article: Authentication, Authorization, Accounting